Social auth configuration

Social accounts authentication for a Self-Hosted solution

Note

This is a paid feature available forEnterprise clients.

You can now easily set up authentication with popular social services, which opens doors tosuch benefits as:

  • Convenience: you can use the existingsocial service credentials to sign in to CVAT.
  • Time-saving: with just two clicks, you cansign in without the hassle of typing in credentials, saving time and effort.
  • Security: social auth service providers havehigh-level security measures in place to protect your accounts.

Currently, we offer three options:

With more to come soon. Stay tuned!

Authentication with Google

To enable authentication, do the following:

  1. Log in to theGoogle Cloud console

  2. Create a project,and go toAPIs & Services

  3. On the left menu, selectOAuth consent, then selectUser type (Internal orExternal), and clickCreate.

  4. On theOAuth consent screen fill all required fields, and clickSave and Continue.

  5. On theScopes screen, clickAdd or remove scopes andselectauth/userinfo.email,auth/userinfo.profile, andopenid.ClickUpdate, andSave and Continue.
    For more information, seeConfigure Auth Consent.

  6. On the left menu, clickCredentials, on the topmenu click+ Create credentials, and selectOAuth client ID.

  7. From theApplication Type selectWeb application andconfigure:Application name,Authorized JavaScript origins,Authorized redirect URIs.
    For example, if you plan to deploy CVAT instance onhttps://localhost:8080, addhttps://localhost:8080to authorized JS origins andhttps://localhost:8080/api/auth/social/goolge/login/callback/ to redirect URIs.

  8. Create configuration file in CVAT:

    1. Create theauth_config.yml file with the following content:

      ---social_account:enabled:truegoogle:client_id:<some_client_id>client_secret:<some_client_secret>

    2. SetAUTH_CONFIG_PATH="<path_to_auth_config> environment variable.

  9. In a terminal, run the following command:

    docker compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.override.yml up -d --build

Authentication with GitHub

There are 2 basic steps to enable GitHub account authentication.

  1. Open the GitHub settings page.

  2. On the left menu, click<> Developer settings >OAuth Apps >Register new application.
    For more information, seeCreating an OAuth App

  3. Fill in the name field, set the homepage URL (for example:https://localhost:8080),and authentication callback URL (for example:https://localhost:8080/api/auth/social/github/login/callback/).

  4. Create configuration file in CVAT:

    1. Create theauth_config.yml file with the following content:

      ---social_account:enabled:truegithub:client_id:<some_client_id>client_secret:<some_client_secret>

    2. SetAUTH_CONFIG_PATH="<path_to_auth_config> environment variable.

  5. In a terminal, run the following command:

    docker compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.override.yml up -d --build

Note

You can also configureGitHub App,but don’t forget to add required permissions.
In thePermission >Account permissions >Email addresses must be set toread-only.

Authentication with Amazon Cognito

To enable authentication with Amazon Cognito for your CVAT instance, follow these steps:

  1. Create anAmazon Cognito pool(Optional)
  2. Set up a new app client
  3. Configure social authentication in CVAT

Now, let’s dive deeper into how to accomplish these steps.

Amazon Cognito pool creation

This step is optional and should only be performed if a user pool has not already been created.To create a user pool, follow these instructions:

  1. Go to theAWS Management Console
  2. LocateCognito in the list of services
  3. ClickCreate user pool
  4. Fill in the required fields

App client creation

To create a new app client, follow these steps:

  1. Go to the details page of the created user pool
  2. Find theApp clients item in the menu on the left
  3. ClickCreate app client
  4. Fill out the form as shown bellow:Create application client form in AWS with assigned parameters
    • Application type:Traditional web application
    • Application name: Specify a desired name, or leave the autogenerated one
    • Return URL (optional): Specify the CVAT redirect URL(<http|https>://<cvat_domain>/api/auth/social/amazon-cognito/login/callback/).This setting can also be updated or specified later after the app client is created.
  5. Navigate to theLogin pages tab of the created app client
  6. Check the parameters in theManaged login pages configuration section and edit them if needed:Managed login pages configuration in AWS with application parameters
    • Allowed callback URLs: Must be set to the CVAT redirect URL
    • Identity providers: Must be specified
    • OAuth grant types: TheAuthorization code grant must be selected
    • OpenID Connect scopes:OpenID,Profile,Email scopes must be selected

Setting up social authentication in CVAT

To configure social authentication in CVAT, create a configuration file(auth_config.yml) with the following content:

---social_account:enabled:trueamazon_cognito:client_id:<client_id>client_secret:<client_secret>domain:<custom-domain> orhttps://<custom-cognito-prefix>.auth.us-east-1.amazoncognito.com

To find theclient_id andclient_secret values, navigate to the created app client pageand check theApp client information section. To finddomain, look for theDomain item in the list on the left.

Once the configuration file is updated, several environment variables must be exported before running CVAT:

exportAUTH_CONFIG_PATH="<path_to_auth_config>"exportCVAT_HOST="<cvat_host>"# cvat_port is optionalexportCVAT_BASE_URL="<http|https>://${CVAT_HOST}:<cvat_port>"

Start the CVAT enterprise instance as usual.That’s it! On the CVAT login page, you should now see the optionContinue with Amazon Cognito.CVAT login page with social account authentication option